ghsa-52c5-vh7f-26fx
Vulnerability from github
Impact
The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.
Who is impacted: - Any application using prosemirror_to_html to convert ProseMirror documents to HTML - Applications that process user-generated ProseMirror content are at highest risk - End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers
Attack vectors include:
- href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
- Event handlers: <div onclick="maliciousCode()">
- onerror attributes on images: <img src=x onerror="alert('XSS')">
- Other HTML attributes that can execute JavaScript
Patches
A fix is currently in development. Users should upgrade to version 0.2.1 or later once released.
The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.
Workarounds
Until a patched version is available, users can implement one or more of these mitigations:
-
Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:
ruby html = ProsemirrorToHtml.render(document) safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) -
Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:
Content-Security-Policy: default-src 'self'; script-src 'self' -
Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.
References
- Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249
- OWASP XSS Prevention Cheat Sheet
- CWE-79: Improper Neutralization of Input During Web Page Generation
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "prosemirror_to_html"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-06T15:44:35Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.\n\n**Who is impacted:**\n- Any application using prosemirror_to_html to convert ProseMirror documents to HTML\n- Applications that process user-generated ProseMirror content are at highest risk\n- End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers\n\n**Attack vectors include:**\n- `href` attributes with `javascript:` protocol: `\u003ca href=\"javascript:alert(document.cookie)\"\u003e`\n- Event handlers: `\u003cdiv onclick=\"maliciousCode()\"\u003e`\n- `onerror` attributes on images: `\u003cimg src=x onerror=\"alert(\u0027XSS\u0027)\"\u003e`\n- Other HTML attributes that can execute JavaScript\n\n### Patches\n\nA fix is currently in development. Users should upgrade to version **0.2.1** or later once released.\n\nThe patch escapes all HTML attribute values using `CGI.escapeHTML` to prevent injection attacks.\n\n### Workarounds\n\nUntil a patched version is available, users can implement one or more of these mitigations:\n\n1. **Sanitize output**: Pass the HTML output through a sanitization library like [Sanitize](https://github.com/rgrove/sanitize) or [Loofah](https://github.com/flavorjones/loofah):\n```ruby\n html = ProsemirrorToHtml.render(document)\n safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)\n```\n\n2. **Implement Content Security Policy (CSP)**: Add strict CSP headers to prevent inline JavaScript execution:\n```\n Content-Security-Policy: default-src \u0027self\u0027; script-src \u0027self\u0027\n```\n\n3. **Input validation**: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.\n\n### References\n\n- Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)",
"id": "GHSA-52c5-vh7f-26fx",
"modified": "2025-11-06T15:44:36Z",
"published": "2025-11-06T15:44:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx"
},
{
"type": "WEB",
"url": "https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8"
},
{
"type": "PACKAGE",
"url": "https://github.com/etaminstudio/prosemirror_to_html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.